The Taxman’s Shadow: Blackmoon Trojan Hijacks IT Tools to Spy on Indian Taxpayers

Fabricated notifications impersonating the Income Tax Department of India have emerged as the facade for a sophisticated malware campaign, culminating in the deployment of the Blackmoon banking trojan. This offensive specifically targets the Indian populace, facilitating the clandestine installation of a multi-stage remote access apparatus, ostensibly orchestrated for the purposes of a cyber-espionage operation.

According to forensics provided by the eSentire threat intelligence team, the incursion is disseminated via electronic correspondence alleging tax delinquencies. Recipients are presented with an archive containing malicious artifacts camouflaged as audit-related documentation. Of the five embedded objects, only a singular executable—entitled “Inspection Document Review.exe”—is visible to the user. This file serves as the catalyst for a malicious DLL embedded within the archive, which scrutinizes the environment for debuggers before establishing a connection to an external server to retrieve the subsequent payload.

The succeeding component executes a bypass of the User Account Control (UAC) to secure administrative sovereignty. It subsequently camouflages itself as the legitimate Windows process explorer.exe, thereby evading detection. During further execution, an installer designated as “180.exe” is retrieved from a Chinese domain; its operational logic fluctuates based on the presence of the Avast antivirus suite.

Should the malicious code detect an active Avast instance, it initiates a series of simulated mouse interactions to manually insert the infected files into the antivirus exclusion list. This maneuver ensures the persistence of the malicious activity while circumventing defensive alerts. The DLL utilized in this phase is identified by specialists as a variant of the Blackmoon trojan, a threat first documented in 2015 and previously deployed against enterprises in South Korea, the United States, and Canada.

Among the artifacts introduced to the system is a program entitled “Setup.exe” by SyncFutureTec, which invokes a component named “mysetup.exe.” Analysts have identified this as the authentic SyncFuture TSM software—a corporate utility developed in China for legitimate remote monitoring and management.

By subverting the functionality of this authorized software, adversaries gain absolute dominion over the compromised device, ranging from the surveillance of user interactions to the exfiltration of harvested telemetry to remote repositories. Furthermore, the malware generates specialized user directories with unique access permissions, recalibrates desktop security configurations, and initiates sophisticated logging and cleanup processes.

In summary, specialists emphasize that this tactical schema is characterized by its profound complexity. It integrates anti-virus evasion techniques, privilege escalation, malicious DLL injection, and the weaponization of legitimate administrative tools. Such a cohesive strategy underscores a high degree of technical sophistication and a meticulous understanding of the target environment by the orchestrators of the campaign.